NSXT Terraform provider crashes when trying to add nsxt_policy_intrusion_service_profile

[hbechtel]

Describe the bug

When adding the resource

resource "nsxt_policy_intrusion_service_profile" "idpsProf-SevCritHigh-All" {
  display_name = "idpsProf-SevCritHigh-All"
  description  = "All signatures with critical or high severity"
  severities   = ["CRITICAL", "HIGH"]

  criteria {}

  tag {
    scope = local.tags.nsxtTagsTfScope
    tag   = local.tags.gitHubRepoName
  }
}

the TF provider crashes when trying to apply this change:

userXXX@serverYYY ~/some-path/terraform (main) $ tf init -upgrade
[…]
Terraform v1.8.5

Initializing the backend...
Upgrading modules...
[…]

Initializing provider plugins...
[…]
- Using previously-installed vmware/nsxt v3.8.0
[…]

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

userXXX@serverYYY ~/some-path//terraform (main) $ tf apply
[…]
Terraform v1.8.5

[…]


Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # nsxt_policy_intrusion_service_profile.idpsProf-SevCritHigh-All will be created
  + resource "nsxt_policy_intrusion_service_profile" "idpsProf-SevCritHigh-All" {
      + description  = "All signatures with critical or high severity"
      + display_name = "idpsProf-SevCritHigh-All"
      + id           = (known after apply)
      + nsx_id       = (known after apply)
      + path         = (known after apply)
      + revision     = (known after apply)
      + severities   = [
          + "CRITICAL",
          + "HIGH",
        ]

      + criteria {}

      + tag {
          + scope = "tf"
          + tag   = "tf-nsxt-vpc-dev"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


nsxt_policy_intrusion_service_profile.idpsProf-SevCritHigh-All: Creating...
╷
│ Error: Plugin did not respond
│ 
│   with nsxt_policy_intrusion_service_profile.idpsProf-SevCritHigh-All,
│   on 090_sharedObjects_IDPSProfiles.tf line 36, in resource "nsxt_policy_intrusion_service_profile" "idpsProf-SevCritHigh-All":
│   36: resource "nsxt_policy_intrusion_service_profile" "idpsProf-SevCritHigh-All" {
│ 
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-nsxt_v3.8.0 plugin:

panic: interface conversion: interface {} is nil, not map[string]interface {}

goroutine 57 [running]:
github.com/vmware/terraform-provider-nsxt/nsxt.getIdsProfileCriteriaFromSchema(0xc0005ebc80?)
        github.com/vmware/terraform-provider-nsxt/nsxt/resource_nsxt_policy_intrusion_service_profile.go:189 +0xc91
github.com/vmware/terraform-provider-nsxt/nsxt.resourceNsxtPolicyIntrusionServiceProfileCreate(0xc0005ebc80, {0x1bfd980, 0xc0000aa9c0})
        github.com/vmware/terraform-provider-nsxt/nsxt/resource_nsxt_policy_intrusion_service_profile.go:361 +0x1aa
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x1f53df8?, {0x1f53df8?, 0xc000648270?}, 0xd?, {0x1bfd980?, 0xc0000aa9c0?})
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:766 +0x15f
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc0001d47e0, {0x1f53df8, 0xc000648270}, 0xc0006560d0, 0xc0005ebb00, {0x1bfd980, 0xc0000aa9c0})
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:909 +0xa89
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc000373d88, {0x1f53df8?, 0xc0006481b0?}, 0xc000628d70)
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1060 +0xd5c
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc000240d20, {0x1f53df8?, 0xc000635770?}, 0xc000195b90)
        github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:859 +0x56f
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x1c20600, 0xc000240d20}, {0x1f53df8, 0xc000635770}, 0xc000195b20, 0x0)
        github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:467 +0x1a6
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0002381e0, {0x1f58b80, 0xc0005ac000}, 0xc000638b40, 0xc000188690, 0x28949b8, 0x0)
        google.golang.org/[email protected]/server.go:1358 +0xde3
google.golang.org/grpc.(*Server).handleStream(0xc0002381e0, {0x1f58b80, 0xc0005ac000}, 0xc000638b40, 0x0)
        google.golang.org/[email protected]/server.go:1735 +0x9da
google.golang.org/grpc.(*Server).serveStreams.func1.1()
        google.golang.org/[email protected]/server.go:970 +0xbb
created by google.golang.org/grpc.(*Server).serveStreams.func1 in goroutine 35
        google.golang.org/[email protected]/server.go:981 +0x136

Error: The terraform-provider-nsxt_v3.8.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

userXXX@serverYYY ~/some-path/terraform (main) $ 

Other profiles are created without crashing, e.g.:

resource "nsxt_policy_intrusion_service_profile" "idpsProf-SevCRITICAL-All" {
  display_name = "idpsProf-SevCRITICAL-All"
  description  = "All signatures with critical severity"
  severities   = ["CRITICAL"]

  criteria {}

  tag {
    scope = local.tags.nsxtTagsTfScope
    tag   = local.tags.gitHubRepoName
  }
}

resource "nsxt_policy_intrusion_service_profile" "idpsProf-CvssCRITICAL-All" {
  display_name = "idpsProf-CvssCRITICAL-All"
  description  = "All signatures with critical CVSS"
  severities   = ["CRITICAL", "HIGH", "MEDIUM", "LOW"]

  criteria {
    cvss = ["CRITICAL"]
  }

  tag {
    scope = local.tags.nsxtTagsTfScope
    tag   = local.tags.gitHubRepoName
  }
}

resource "nsxt_policy_intrusion_service_profile" "idpsProf-SevCritHigh-Windows" {
  display_name = "idpsProf-SevCritHigh-Windows"
  description  = "All signatures with critical or high severity and any Windows affected product"
  severities   = ["CRITICAL", "HIGH"]

  criteria {
    products_affected = [
      "Microsoft_Windows_11_23H2", "Microsoft_Windows_10",
      "Windows_XP_Vista_7_8_10_11_Server_32_64_Bit", "Windows_DNS_server",
      "affected_product Microsoft_Windows_10_11_Server_32_64_Bit",
      "Microsoft_Windows_Xp", "Windows_Server_2019", "Microsoft_Windows_7_Server_2008_R2",
      "Windows_Cryptoapi", "Windows_RDL_Service", "Microsoft_Windows_Server_2016", "Windows_Server_2016",
      "affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit", "Microsoft_Windows_Messenger",
      "Microsoft_Windows_10_11_Server_32_64_Bit", "Windows_Client_Apps",
      "Windows_XP_Vista_7_8_10_Server_32_64_Bit", "Windows_11", "Windows_8"
    ]
  }

  tag {
    scope = local.tags.nsxtTagsTfScope
    tag   = local.tags.gitHubRepoName
  }
}

Reproduction steps

1. Configure resource resource "nsxt_policy_intrusion_service_profile" "idpsProf-SevCritHigh-All" as stated in the description.
2. Run "terrafrom init -upgrade"
3. Run terraform apply

Expected behavior

The Terraform provider should not crash but create the Intrusion service profile as configured.

Additional context

No response

[annakhm]

Thanks for reporting this @hbechtel, the fix is in the making. If you would like to avoid the crash before the fix is released, you can remove the empty criteria block.

[hbechtel]

@annakhm As far as I see it, is not possible to remove the criteria block because it is a required statement. If not present, TF will complain about it. I found that the crash only happens when the citeria block is empty and the severities statement includes more than one value.